LAMP on Digital Ocean

I’ve been experimenting lately with using DigitalOcean both for remote dev environments (to facilitate development on a Chromebook) and also for staging/testing servers.

The plugin for Vagrant in concert with chef solo makes spinning up and provisioning new instances a breeze, but this post is about going the slightly more manual route, and using one of the application bundles (currently in beta) for Ubuntu 12.04.

These steps are a combination of things I’ve gleaned from various other places and my experience. I make no claim for their soundness.

Create the droplet

Create a new droplet using the Ubuntu 12.04 x32 (or x64–it shouldn’t matter for our purposes here), and select “LAMP on Ubuntu 12.04” from the Applications tab.

At this point, I’m going to assume that you’ll also add your SSH public keys, so you don’t have to login with username and password credentials. (If you don’t have an SSH key, here are some instructions for generating one, you can just ignore the git-specific stuff.) An advantage of doing this is that your root password to the new droplet will not be sent over email (because there will no root password).

When you’ve selected all the options, click “Create Droplet.”

Login and Setup

Droplet creation should take a minute at most, after which you’ll see a screen with various information about your newly created vm, including an IP address. If you specified that your SSH keys should be automatically added, you should be able to SSH in now.

ssh root@ip.address.goes.here

First off, let’s change the default mysql root password as suggested by the login banner (note that the banner may continue to say that the password is still “password” even after you’ve changed it and logged in again):

mysqladmin -u root -p'password' password newpassword

Next, because we began with our SSH keys pre-installed, there’s no root password, so set one by typing `passwd` and following the prompts.

Next we’ll issue some commands with the package manager used by Ubuntu, `apt-get` to first update the list of available packages, and then upgrade the installed ones:

apt-get update
apt-get upgrade

Next, install fail2ban, a service that scans logfiles and auto-bans IP addresses that show signs of malicious activity, a good line of defense against crackers:

apt-get install fail2ban

Next, I’ll install my text editor of choice, vim:

apt-get install vim

As well as unzip…

apt-get install unzip

… and ack

apt-get install ack-grep

Adding a user

Because it is, for a variety of reasons, generally not a good idea to do things as root, let’s add a new user, create a home folder for them with the right permissions, ┬ácopy the contents of root’s authorized keys files to the new user’s .ssh folder, so we can ssh in as that user, give them a password, and set their default shell to bash.

useradd luke
mkdir /home/luke
mkdir /home/luke/.ssh
chmod 700 /home/luke/.ssh

And add the contents of the root user’s authorized_keys files to that of the new user:

cat .ssh/authorized_keys > /home/luke/.ssh/authorized_keys
chmod 400 /home/luke/.ssh/authorized_keys
chown -R luke:luke /home/luke
passwd luke
chsh -s /bin/bash luke

Now we’ll give that user the ability to run commands as root via `sudo`. Type `visudo` then enter this line, say, below the similar one for root (it doesn’t matter where, actually):

luke ALL=(ALL) ALL

Hit Command-X when done editing.

Now we’ll disable remote root login. Edit this file, /etc/ssh/sshd_config, with vim, or however you prefer, and make change “PermitRootLogin yes” to “PermitRootLogin no”, and uncomment the line “#PasswordAuthentication yes” and change it to “no”. This will mean you can only login on machines that have your SSH private key. Following that, we need to restart ssh:

service ssh restart

Now we’ll install a firewall to control which ports we allow traffic into. We’ll allow SSH and SFTP (port 22), HTTP (80), and HTTPS (443).

apt-get install ufw
ufw allow 22
ufw allow 80
ufw allow 443
ufw enable

You may get a warning after the last command about this disrupting your SSH session, but you should be able to ignore it.

Other dev tools

git, rvm + ruby, tmux

apt-get install git
apt-get install tmux
\curl -L https://get.rvm.io | bash -s stable --ruby

Miscellany

These are just some relevant notes and steps I’m including mostly for myself to remember for later:

FTP

In some cases you may need FTP and not just SFTP.

apt-get install vsftpd

Edit /etc/vsftpd.conf and change the following lines

anonymous_enable=NO
local_enable=YES
write_enable=YES

Save the file, and `/etc/init.d/vsftpd restart` then `ufw allow 21`.

Serving a git repository

If you’re serving files directly from a git repository, make sure you aren’t serving .git.

Throttle outbound Spotify traffic

When working on a shared network with limited bandwidth, it’s sometimes nice to be able to keep listening to Spotify without ruining your co-workers’ Internet connections.

Spotify is P2P (the desktop app is, anyway), so you both receive data from other Spotify users and transmit it to them. Blocking the outgoing traffic entirely would be un-neighbourly (probably also a violation of TOS), and might even prevent streaming from working altogether.

Fortunately, as I just discovered, ipfw allows you to add a pipe to a range of ports, all of which you can then throttle to a certain data transfer rate. It’s a shotgun approach, and will slow down any other services that are trying to send data over those ports as well, but since Spotify seems to stick to the range 10000 to 80000, and I rarely if ever run anything of consequence on those ports, this approach works for me.

sudo ipfw add pipe 1 ip from any to any out dst-port 10000-80000
sudo ipfw pipe 1 config bw 8KBytes/s